Around two months ago Duo Security released their X-Ray Android app.
Developed with funding from DARPA, the app is designed to scan an Android device in order to look for known security vulnerabilities including privilege escalation bugs and flaws which allow for the internal security of the device to be bypassed. After gathering data over the last six weeks or so (from over 20,000 users who installed the app) the suggestion would be that over half of the world’s Android users have unpatched vulnerabilities of some description on their devices.
“Yes, it’s a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far. We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally.”
Jon Oberheide, Duo Security
Unlike existing Android security apps, X-Ray does not scan for malicious apps. Instead, it looks for known issues in the Android platform itself. Duo Security suggest that in some cases the discovered vulnerabilities could be used to take “full control” of the device. Scary stuff indeed.
“As carriers are very conservative in rolling out patches to fix vulnerabilities in the Android platform, users’ mobile devices often remain vulnerable for months and even years.”
Ironically, considering I would never advise installing from 3rd party locations, the X-Ray app isn’t actually available from Google Play. If you want it you will have to download it directly from Duo Security and then allow your device to install a non-Google Play app. Ooops.